The use of plastic cards for payment transactions is ubiquitous in the modern economy. All involved parties e.g., the payment card industry, consumers, banks and merchants have an interest in making these card-based payment transactions secure and fraud-proof.
Early plastic cards were embossed with general data such as the card number and the cardholder's name. Signature fields and security printing were a feature of these cards created to provide protection against tampering and forgery. These security features, which relied solely on the retail staff for visual verification, did not eliminate fraud.
Now, plastic cards have a magnetic stripe added to the back of the cards in which card holder information and other security and encryption codes are stored in machine-readable form. The machine-readable nature of the data makes it more resistant to tampering or forgery. The physical structure and data content of the magnetic stripes are standardized to achieve desirable interoperability (e.g., most ATM cards work at every money machine in the world). Towards this end, industry standards organizations and groups (e.g., International Organization for Standards (ISO) and International Electro Technical Committee (IEC)) have formulated voluntary minimum standards for payment cards. An exemplary standard. which is applicable to magnetic stripes on payment cards, is the ISO/IEC 7811 standard (“ISO 7811”). This standard sets the minimum requirements for the data structures and encoding in payment cards' magnetic stripes.
According to ISO 7811, magnetic stripe data must be laid out in three tracks. A magnetic stripe card may have any one of these three tracks, or a combination of these tracks. Under the standard, Track 1, which was developed by the International Air Transportation Association (IATA), is 210 bpi with room for 79 7-bit characters. Track 1 is encoded with a 7-bit scheme (6 data bits plus one parity bit) based on ASCII. The seventh bit is an odd parity bit at the end of each byte. Track 2, which was developed by the American Bankers Association (ABA) for on-line financial transactions, is 75 bpi with room for 40 5-bit numeric characters. Track 3, which is also used for financial transactions, is 210 bpi with room for 107 numeric digits.
ISO 7811 further delimits data fields in the Tracks and reserves them for specific information. Track 1, for example, includes designated data fields for specific information such as Primary Account Number, Country Code, Surname, First Name or Initial, Middle Name or Initial, Title, and Expiration Date, etc. The data is encoded in ASCII.
Table 2 shows the standardized data field format recommended for Track 2.
Start Sentinel1 byte (0x0B, or a; in ASCII)Primary Account NumberUp to 19 bytesSeparator1 byte (0x0D, or an = in ASCII)Country Code3 bytes, if used. (The United States is 840)This is only used if the account numberbegins with “59”Expiration Date or Separator4 bytes (YYMM) or the one byte separatorif a non-expiring cardDiscretionary DataOptional data can be encoded hereby the issuerEnd Sentinel1 byte (0x0F, or a? in ASCII)Longitudinal Redundancy1 byteCheck (LRC)
Each of the three Tracks includes a data field, which is reserved for individual use by the card issuer or vendor. Card issuers or vendors often utilize the reserved data field, which is labeled “discretionary data”, to store a static authentication value or other vendor-specific identification information. For example, assignee MasterCard International Incorporated (“MasterCard”) prefers to store a numeric card validation code value (CVC1) in the Track 2 discretionary data field. The CVC1 value, which is a three digit encrypted number, can be checked to ensure that the magnetic stripe information has not been altered in any way. Other card vendors or issuers may store other codes or values in the discretionary data field, or none at all.
For processing a transaction, the card reader/terminal reads the formatted data, which is recorded in the card's magnetic stripe Tracks. The formatted data may be transmitted to an issuer or bank for validation or approval of the transaction.
The payment card industry is now exploiting developments in semiconductor device technologies to build in more functionality and features in the plastic payment cards. For example, smart cards that contain an actual integrated circuit chip, and contactless cards that use a magnetic field or radio frequency identification (RFID) tags for close-proximity reading are now available. The built-in electronic processing features of the smart cards and/or proximity cards make it possible deploy more rigorous solutions for securing card use and preventing fraud. For example, some available smart cards are configured to perform “on card” cryptographic functions for security solutions based on digital signatures.
Electronic payment systems based on these newer types of cards are in use or under development. For example, assignee MasterCard has developed proprietary specifications MasterCard PayPass™ ISO/IEC 14443 Implementation Specification (“PayPass”) for implementation of electronic payment systems based on proximity payment cards. A security solution, which may be utilized in PayPass, is based on generation of a dynamic authentication value or number (CVC3). The dynamic authentication value changes with each transaction. Thus, in the event an unauthorized person obtains the CVC3 number for a particular transaction, the unauthorized person cannot use that CVC3 number as the authentication value for the next or any other transactions. (See e.g., John Wankmueller, U.S. Pub. Appl. No. 20050127164 A1).
Any electronic payment system based on the new card technologies is likely to gain acceptance by users only if the new system is backwards compatible with legacy infrastructure (e.g., terminals, card readers, and back office operations), which was designed for processing magnetic stripe cards. Thus, it may be advantageous to provide payment cards that can function with both magnetic stripe card systems and proximity payment card systems. In such cards, it may be preferable to transmit the dynamic authentication value (CVC3) and other proximity card function specific data to the issuer or other validating party in a format which does not disturb the data fields or information required by ISO 7811 for magnetic stripe card transactions. It has been proposed that the CVC3 number and other proximity card function specific data should be placed in a discretionary data field of a magnetic stripe Track data format in the expectation that the standardized data fields required for magnetic stripe card operation will not be disturbed. Unfortunately, usage of the discretionary data fields by vendors and issuers is not consistent. For example, the static authentication values (e.g., CVC2) used by vendors may be either a 3 digit or a 4 digit number. Thus, the space available in the discretionary data fields for placing the CVC3 number may vary from card to card according to vendor encoding of the discretionary data fields. This varying availability of discretionary data space makes it difficult to standardize use of the space for storing proximity card function related data (e.g., CVC3).
Consideration is now being given to ways of making proximity payment card implementations compatible with existing standardized magnetic stripe payment card transaction processes. Attention is being directed to the development of proximity payment cards that can be used with existing magnetic stripe card infrastructure and processes. In particular, attention is being directed to the formatting of proximity function related data in a manner that does not disturb existing standardized data structures or information used in the magnetic stripe card transactions.